OAKLAND, Calif. — At his high-rise medical office in Oakland, orthopedic surgeon David Chang recently switched from those familiar but cumbersome paper medical files to digital records, making the change ahead of a federal requirement that goes into effect for all medical providers in 2014.

Chang now has a private company store his patients’ records electronically.

“Not only was it free – which was fantastic – but it saved me time,” said Chang.

That company is Practice Fusion in San Francisco. It’s part of a booming industry in electronic medical records software. Its service is free to some 30,000 doctors. KTVU discovered the reason the service is free is because the company legally sells the patient medical information it collects. Buyers include drug companies, medical insurers and others. They can get it if they say it’s for research…

…Some were opposed to such wholesale distribution of patient information.

“This is a nightmare. This is a nightmare. It’s nothing we’ve ever seen before in medicine,” said patient privacy rights advocate Dr. Deborah Peel.

Peel she said many patients and doctors don’t know the federal government quietly eliminated patients’ privacy rights for electronic records.

“It’s a free-for-all. It’s the wild west,” said Peel…

…Dr. Peel said new technology, for as little as five dollars a year, could protect your privacy and allow you to opt out of research databases. Privacy advocates said concerned patients need to lobby their lawmakers now.

The story highlights the use of DNA testing by ‘employers’–Major League Baseball franchises. Baseball tests to verify the ages and identities of players from Latin America, but the test samples can also be used to detect familial genetic dieseases such as ALS (which Lou Gehrig had).

• “DNA contains a host of information about risks for future diseases that prospective employers might be interested in discovering and considering,” said Kathy Hudson, the director of the Genetics and Public Policy Center and an associate professor at Johns Hopkins University. “The point of GINA was to remove the temptation and prohibit employers from asking or receiving genetic information.”

Baseball players are not the only ones whose DNA and genetic tests can be used against them–the same thing can happen to all of us.

According to GINA, employers and insurers can’t use genetic tests to discriminate against employees or enrollees in health plans, but there is no way to tell whether they do or not. Employers and insurers do not have to inform us if they have copies of our genetic or DNA records.

• Do you think an employer is going to tell you were passed over for a promotion based on your DNA?

GINA is toothless–it forbids bad behavior but there is no way to enforce it.

And Americans’ genetic privacy is not protected by HIPAA. HIPAA makes it impossible for any of us to prevent OUR sensitive health information from being used by millions of ‘covered entities’ and ‘business associates’ for purposes we would never agree with–including using genetic tests to discriminate againts us.

Face Book users control who sees the personal information they post on their walls, but Americans can’t control who sees their electronic health information. What’s wrong with this picture?

The rules for spending $19 Billion on health IT are being written now. Now is the time we must press to restore control over OUR personal health data.

Sometimes press releases for new products tell us far more about the risk of identity theft in electronic health systems than the mainstream press or trade journals.

Check out this zinger quote: “Most organizations don’t even know where their PHI is.” Why doesn’t the mainstream press tell the public that the health care organizations (like hospitals) have no idea where all their sensitive personal health data resides?

How about this: “The software (Identity Finder) automatically finds PHI such as social security numbers, medical record numbers, dates of birth, driver licenses, personal addresses, and other private data within files, e-mails, databases, websites, and system areas. Once found, the software makes it simple for users or administrators to permanently shred, scrub, or secure the information.” Emails? Who sends drivers license numbers, SS#s, and Dates of Birth in emails? Clearly lots of healthcare organizations do.

This story details identity theft by a Denver hospital employee. It is a single instance, but it shows how easy it is for any hospital employee, anywhere to steal patients’ identities.

Hospitals will become a major source for identity theft because today’s primitive, poorly designed health IT systems allow thousands of employees access to all patient information–including what’s needed to steal identities. Not only can thousands of hospital employees see every patient’s medical records (think George Clooney and Farah Fawcett–whose records were sold to the Enquirer), they can see and steal the demographic and financial information too.

For whatever reasons, the media has primarily reported on how wonderful electronic health systems are without explaining the severe risks they pose to privacy and the new problems they can create (errors, downtime, work flow obstacles, data sales, lack of interoperability, etc).

The health IT stimulus bill with $20B for HIT needs very strong consumer protections to ensure that the current ‘norm’ for hospital electronic health systems, ie badly designed, open access systems, is replaced by systems that only allow access to the few staff members the patient has given permission to see and use his/her electronic records. The current HIT bill does not require the use of consent management technologies to restore patient control over PHI.